fix: pre-check Firestore para email cambio (Firebase Auth EEP silencia el error)#43
Merged
Merged
Conversation
… EEP silencia el error)
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug reportado
Al intentar cambiar el email a uno ya registrado (en este caso una cuenta Gmail usada con Google sign-in):
Causa raiz
Firebase Email Enumeration Protection (EEP) esta activa por defecto en proyectos nuevos. Cuando lo esta:
verifyBeforeUpdateEmail(user, newEmail)con un email ya en uso devuelve success silencioso (noauth/email-already-in-use, no email enviado).Mi codigo capturaba
auth/email-already-in-usecorrectamente, pero Firebase nunca lo lanza estando EEP activa.Fix (codigo)
Pre-check Firestore antes de llamar a Firebase:
src/infrastructure/firebase/FirestoreUserRepository.ts: nuevo metodofindUserIdByEmail(email)que hacequery(users, where('email', '==', email), limit(1)). La reglausers -> allow read: if auth != nullya permite la query y los campos single-field se auto-indexan, asi que sin cambios de reglas o indexes.src/infrastructure/firebase/FirebaseAuthService.ts -> requestEmailChange: llama afindUserIdByEmailantes deverifyBeforeUpdateEmail. Si encuentra otro user con ese email, lanzaError('email-taken')para fail-fast con mensaje claro.src/components/profile/AccountSecurityForm.tsx: el handler captura tantomessage === 'email-taken'(nuestro pre-check) comocode === 'auth/email-already-in-use'(Firebase post-EEP-disable) con el mismo mensaje "Ese email ya está en uso por otra cuenta".Fix (Firebase Console — manual, fuera de codigo)
EEP tiene que estar OFF para cubrir el caso edge: usuarios que firmaron con Google y nunca completaron el perfil (existen en Firebase Auth pero NO en Firestore). El pre-check Firestore no los detecta. Con EEP off, Firebase Auth lanza
auth/email-already-in-usey nuestro handler lo captura.Pasos:
Trade-off: con EEP off, un atacante puede enumerar emails registrados (probar emails uno a uno y leer el codigo de error). Mitigado por el rate limit nativo de Firebase Auth. Para gororeads (tracker social pequeño) el riesgo es aceptable. Documentado en CLAUDE.md.
Cobertura del fix
Las dos capas juntas cubren todos los casos.
Testing
npx astro checksolo persiste el preexistentenpm run test:run60/60npm run buildokDocumentacion
CLAUDE.md-> seccion## Notas de funcionamiento-> el bullet de cambio de email actualizado con la doble capa, y un bullet aparte con marca